User Manager + RADSEC

RouterOS General
1

Does UserManager support RADSEC?
If not, why does UserManager setting have a certificate field? Does it make sense to use a server certificate for TLS over UDP? If not TLS, what’s the use of it?

2

I have the same question... I assume User Manager does not support radsec until someone proves the opposite.
With radsec turned on (Shared secret has been changed to "radsec", using a trusted certificate also as per the documentation ) on I got:

 no radius server found for 8a:00

error messages in radius, debug log.
(with hAP ax^3 & ROS 7.17.2)
No error messages with udp.

TMS

3

That certificate is used when authenticating the users (for instance for Phase 1 with PEAP when PEAP+MSCHAPv2 are being used), not for securing the communication between User Manager (RADIUS server) and the NAS (RADIUS client).

The certificate is sent for instance at this step:

The server replies with a Server Hello in the Radius Access-Challenge packet with the chosen cipher and the > server certificate

from this example https://community.cisco.com/t5/security-blogs/demystifying-peap-mschapv2-packet-flow-with-wireshark/ba-p/5145121

4

radsec in UM is comes up in 7.21, but I tested it and I can’t make it works yet.

5

I did some tests, but UM responds “Bad certificate” to client, and I don’t know, how to generate a proper cert. I don’t know what UM is actually checking in radsec certs and I can’t tune these settings.

6

I’ll give you a quick example for the bare minimum, with the terms router and switch. This is making an assumption you are using the built in /certificate. Both certificates need to be signed by the same CA and the client also needs to have a public copy of the CA that is trusted and included in the radius trust store.

Router: - 10.0.0.1/24

/certificate add name=radsec-router subject-alt-name=IP:10.0.0.1 key-size=2048

Switch: - 10.0.0.2/24

/certificate add name=radsec-switch subject-alt-name=IP:10.0.0.2 key-size=2048

7

Thanks, I’ll check it. I tested some thing in the meanwhile, and found out the client’s and UM’s certs are has had CA properties also by mistake and this caused “Bad certificate“.